ENT-13777, ENT-13784: Added container-based CFEngine package builder#2146
ENT-13777, ENT-13784: Added container-based CFEngine package builder#2146larsewi wants to merge 10 commits intocfengine:masterfrom
Conversation
|
Thanks for submitting a pull request! Maybe @craigcomstock can review this? |
olehermanse
left a comment
olehermanse
left a comment
There was a problem hiding this comment.
Looks good overall, some comments and suggestions here and there.
| @@ -0,0 +1,362 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
IIRC craig said we already have a script for this, which is used in GH Actions. Might be good to align this, maybe delete the old one and start using the new one if appropriate.
There was a problem hiding this comment.
Yepp, he probably means enterprise/ci/docker-build-package.sh. Although this script also runs tests, which we are trying to separate.
We can replace it after adding SFTP cache support to build-in-container.py.
| # === Build steps === | ||
| run_step "01-autogen" "$BASEDIR/buildscripts/build-scripts/autogen" | ||
| run_step "02-install-dependencies" "$BASEDIR/buildscripts/build-scripts/install-dependencies" | ||
| if [ "$EXPLICIT_ROLE" = "hub" ]; then | ||
| run_step "03-mission-portal-deps" install_mission_portal_deps | ||
| fi | ||
| run_step "04-configure" "$BASEDIR/buildscripts/build-scripts/configure" | ||
| run_step "05-compile" "$BASEDIR/buildscripts/build-scripts/compile" | ||
| run_step "06-package" "$BASEDIR/buildscripts/build-scripts/package" |
There was a problem hiding this comment.
Looks like we should rename build-scripts folder to steps / build-steps 😅.
|
|
||
| ENV DEBIAN_FRONTEND=noninteractive | ||
|
|
||
| # Build tools extracted from ci/cfengine-build-host-setup.cf (debian|ubuntu section) |
There was a problem hiding this comment.
yeah, it would be sad to copy/paste that content here so that now we have to maintain two locations again.
There was a problem hiding this comment.
Yeah, I will look into these things
There was a problem hiding this comment.
This is a bigger task. The policy does a lot of things we don't want in a container. I also see that we do the same in enterprise/ci/setup.sh. So we basically have three places where we maintain these dependencies. I think the ci/cfengine-build-host-setup.cf would need some refactoring.
Maybe we should do this in a separate ticket?
|
|
||
| # Hub build tools: Node.js 20 LTS (system nodejs is too old for modern npm | ||
| # packages that use the node: protocol), PHP, and Composer | ||
| RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \ |
There was a problem hiding this comment.
would be nice to stick with individual scripts we can maintain with new versions like https://github.com/cfengine/buildscripts/blob/master/ci/linux-install-jdk21.sh
larsewi
force-pushed
the
container
branch
3 times, most recently
from
a950f51 to
945be75
Compare
Introduced build-in-container, a Python/Docker-based build system that builds CFEngine packages inside containers using the existing build scripts. Ticket: ENT-13777 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Replaced the ListPlatformsAction custom argparse action with a simple --list-platforms store_true flag, and moved argument validation from argparse's required=True to manual post-parse checks. This allows future flags (e.g. --push-image) to bypass build-specific arguments like --project, --role, and --build-type. Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
larsewi
force-pushed
the
container
branch
3 times, most recently
from
ff051d4 to
60bb3a1
Compare
Each platform entry now includes a versioned image_tag field composed from the platform name and IMAGE_VERSION. The build_image() function uses this tag instead of constructing it locally. This prepares for registry-based image management where the tag includes a version for cache busting. Ticket: ENT-13784 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
The --push-image flag is a standalone image management operation that builds and pushes a container image to the registry. It only requires --platform (not --project/--role/--build-type). Ticket: ENT-13784 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
- registry_image_ref() returns the fully-qualified ghcr.io reference - pull_image() pulls from the registry, returns None on failure - push_image() tags a local image and pushes it to the registry Ticket: ENT-13784 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
- --push-image: builds with --no-cache and pushes to registry, then exits - --rebuild-image: builds locally, skips registry - Default: pulls from registry, falls back to local build on failure Ticket: ENT-13784 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Added --push-image to argument tables, documented the registry pull/push workflow, fallback behavior, and toolchain update process. Ticket: ENT-13784 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
Manually triggered workflow that builds and pushes container images to ghcr.io. Builds all platforms in parallel via a matrix strategy. Ticket: ENT-13784 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
larsewi
changed the title
|
Added container registry support since last review and tested it on my fork. Seems to work. Maybe we need to edit some permissions upstream. @olehermanse, @craigcomstock this is a rough WIP please let me know what you think. |
|
|
||
| log = logging.getLogger("build-in-container") | ||
|
|
||
| IMAGE_REGISTRY = "ghcr.io/cfengine" |
There was a problem hiding this comment.
We do have a docker hub account FWIW. Not sure if we want to use either really...
There was a problem hiding this comment.
What would you suggest instead?
| parser.add_argument( | ||
| "--push-image", | ||
| action="store_true", | ||
| help="Build image and push to registry, then exit", |
There was a problem hiding this comment.
are credentials required for pushing?
There was a problem hiding this comment.
You can use the GITHUB_TOKEN. See https://github.com/docker/login-action?tab=readme-ov-file#github-container-registry
|
|
||
| ### Container registry | ||
|
|
||
| Images are hosted at `ghcr.io/cfengine` and versioned via `IMAGE_VERSION` in |
There was a problem hiding this comment.
Here you might mention what credentials you need to push or to pull?
There was a problem hiding this comment.
GITHUB_TOKEN to push (done through manually triggered workflow). To pull, no credentials needed as long as the images are made public (which we intend). You can push manually, but then you would need a PAT (classic)
Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
4 participants
build-in-container, a Python/Docker-based build tool that builds CFEngine packages inside containers using the existing build scriptsSee
build-in-container.mdfor full documentation.